I currently manage ldap for a subset of users at our organization for some separate systems. The organization also uses ldap for all of its users. My separate ldap server uses different usernames for its users. I've been tasked with getting rid of this separate ldap, migrating all of our systems over to the central ldap and having users use their normal organizational credentials.
To that end, I've created a new ldap server as a translucent proxy. The central ldap does not contain posix attributes. I'm not being permitted to create them and they are not willing to add them. I've tested with my new proxy that I can search for a user, retrieve all of their back end ldap attributes and all of my local overlay attributes. The translucent proxy is working. Now I'm to the step of setting up sssd to authenticate users on linux hosts. This is not working because sssd searches using a filter that contains objectclass=posixAccount and uidNumber. I've ensured that those values are in my overlay, but they do not exist in the back end ldap. As a result, I get no user returned from the search. I've changed sssd config to make objectclass=person in the search filter, but that still leaves the uidNumber issue. Is there any way around this? I've exhausted the documentation for sssd and don't see it. Is there a way in the ldap proxy to handle this? Do I need to set olcTranslucentLocal to define the local only attributes? My guess is I'll have the same issue with groups and gidNumber when I get to that step of the process as well. If this is a dead end, are there any other options to do what I need to do? Thank you, -Christopher
